The US Veterans Affairs Office of the Inspector General has conducted an audit and OK'ed the use of Apple's iPhones and iPads, despite not meeting federal security encryption standards (FIPS 140-2 under FISMA requirements). Is the VA getting complacent, only six years since experiencing its largest data breach ever? Not quite. Rather, it's being more than cautious and using an extra set of "smartdevice" security applications.

FIPS 140-2 Hardware and Software

According to the "Dpeartment of Veterans Affairs: Review of Alleged Circumvention of Security Requirements for System Certification and Apple Mobile Devices" report by the VA Office of the Inscector General (OIG), Office of Audits and Evaluations, it is true that Apple's iPhone and iPad do not meet federal encryption requirements.

Both iDevices use 256-bit AES hardware encryption to protect the devices from outside hacks. AES, of course, is an encryption algorithm that is certified for use at all levels of the US government. As Wikipedia's entry on AES puts it:

In June 2003, the U.S. Government announced that AES may be used to protect classified information:

The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use."

Why are Apple's devices not approved for government use, then? AES-256 is AES-256, right? As it turns out, it's not the use of AES-256 that the government is interested in, but rather how it's used. For example, is the use of the encryption implemented correctly, or is it a very robust component in what turns out to be a mere security façade?

Think of it this way: let's say you're trying to ensure a castle is secure. You check the gate, and the doors are made of elfin, magically-blessed wrought titanium-alloy slabs 24 inches thick (our AES-256 encryption). A strong defense, you think to yourself. Then you take a walk around the castle perimeter and find that it's a Potemkin fraud: there is no castle, just the front facing wall, with the gates, the towers, etc. All you need to do to get "inside" is to walk around the edge of this supposed castle.

As incredulous as it sounds, it turns out that sometimes a secure encryption algorithm is implemented so poorly in a program that it doesn't matter how robust the encryption is: the rest of the program fails, security-wise.

Apple is still in the process of obtaining FIPS 140-2 validation from NIST, so, regardless of how its AES-256 hardware encryption is implemented (it could turn out that Apple's devices have the best security in the world), it would illegal to use them in a government setting.

However, the OIG's audit found that the VA had used a FIPS 140-2 certified security application that encrypts "emails, calendars, and contacts" and other data. As long as the data is secure in one way, the fact that Apple's products have yet to be certified doesn't pose much of a security issue. In fact, the OIG found some reassurance that devices' encryption was used on top of the secure application (my emphases):

We determined that VA’s approach of allowing only FIPS 140-2 certified applications to access or store sensitive encrypted data on the mobile device met FISMA requirements for data protection. The manufacturer’s [Apple's] default hardware encryption controls have further minimized the risk of unauthorized disclosure of sensitive data while the 256-bit AES undergoes FIPS 140-2 certification testing.

Security is Ephemeral

As I noted, the VA had a massive data breach in 2006. It's unlikely that it would have engaged in poor security practices with that incident still fresh in many people's minds. Indeed, it was just last week that I noted the VA had successfully deployed encryption software on all of its laptops, and they were saying that there were six lasting incidents from its breach experience.

It must be remembered that data security and breach prevention are never-ending struggles. As the VA strengthens its data protection in one area, it will find a spike in another. In fact, in a federaltimes.com story covering the same FIPS 140-2 situation above, the Veterans Affairs CIO noted:

All of our efforts to encrypt and really lock down our IT systems have been paying off, and the bulk of the breaches have been moving to paper," [VA CIO Roger Baker] said.

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading
provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing
support of the AlertBoot disk encryption managed service.
Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts
University in Medford, Massachusetts, U.S.A.